CVE-2025-5120 – This CVE describes a critical sandbox escape vu... (How to Fix)

📋 TL;DR

This CVE describes a critical sandbox escape vulnerability in huggingface/smolagents version 1.14.0 that allows attackers to bypass execution restrictions and achieve remote code execution (RCE). The vulnerability undermines the core security boundary designed to isolate untrusted code, potentially compromising the host system. Anyone using the affected version of smolagents is at risk.

💻 Affected Systems

Products:

huggingface/smolagents

Versions: Version 1.14.0 specifically (resolved in 1.17.0)

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the local_python_executor.py module which inadequately restricts Python code execution despite security checks.

📦 What is this software?

Smolagents by Huggingface

View all CVEs affecting Smolagents →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with full remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to data leakage, system manipulation, and potential integration-level compromise of dependent systems.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges, though sandbox boundary is still breached.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit leverages whitelisted modules and functions to bypass restrictions. Public bounty details available at huntr.com.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.17.0

Vendor Advisory: https://github.com/huggingface/smolagents/commit/33a942e62b6fbf6a35d41f1c735bda2d64c163d0

Restart Required: Yes

Instructions:

1. Update smolagents to version 1.17.0 or later using pip: pip install --upgrade smolagents>=1.17.0
2. Restart any services or applications using smolagents
3. Verify the update was successful

🔧 Temporary Workarounds

Disable local_python_executor

all

Disable or restrict usage of the vulnerable module if not required

Modify application configuration to avoid using local_python_executor functionality

Network isolation

all

Isolate systems running vulnerable version from sensitive networks

Implement firewall rules to restrict inbound/outbound connections

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Apply principle of least privilege and monitor for suspicious process execution

🔍 How to Verify

Check if Vulnerable:

Check if smolagents version is 1.14.0: python -c "import smolagents; print(smolagents.__version__)"

Check Version:

python -c "import smolagents; print(smolagents.__version__)"

Verify Fix Applied:

Verify version is 1.17.0 or higher: python -c "import smolagents; print(smolagents.__version__)"

📡 Detection & Monitoring

Log Indicators:

Unusual Python module imports
Suspicious process execution from smolagents context
Sandbox escape attempts in application logs

Network Indicators:

Unexpected outbound connections from smolagents processes
Data exfiltration patterns

SIEM Query:

Process creation where parent process contains 'smolagents' AND command line contains suspicious Python execution patterns

📊 Metadata

CVE ID: CVE-2025-5120

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.14% exploit probability (34.7th percentile)

Published: July 27, 2025

Last Updated: August 7, 2025

🔗 References

https://github.com/huggingface/smolagents/commit/33a942e62b6fbf6a35d41f1c735bda2d64c163d0 Patch
https://huntr.com/bounties/63ab1cfe-b573-4cf5-a7d3-fb6c957e34b0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5120, you might also want to check these: